MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 20

Intelligence 20 IOCs YARA 4 File information Comments

SHA256 hash:	0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2
SHA3-384 hash:	2b6029d5bb7303fa21db9234ac771a6cbb7bb841d682635e195dbb8e86a6eb8dee76761dd1cf9e0b6c7b91565a6d56f2
SHA1 hash:	2250bc52cc7a4fb3522f35e89f0253efcfe12e10
MD5 hash:	045dc930244b0432fe9668aa898b56bf
humanhash:	undress-charlie-thirteen-carpet
File name:	E-dekont.pdf.exe
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	826'368 bytes
First seen:	2025-09-27 13:18:21 UTC
Last seen:	2025-10-09 15:05:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:XAiej+o4ZZ7y7+06/8LqdiDYgHNsLnBWxQDpZt:wibfZ7yo9klG0k3t
Threatray	2'115 similar samples on MalwareBazaar
TLSH	T1F305024013A6DF16E0A35FF80870D3795BB8AE9E9412D3434EFE6CDBBC6874169542A3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	a310logger exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

E-dekont.pdf.exe

Verdict:

Malicious activity

Analysis date:

2025-09-27 13:28:45 UTC

Tags:

stealer evasion telegram darkcloud ims-api generic

Link:

https://app.any.run/tasks/4c5cba0b-a639-4d25-8385-dba39f8d0883

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/29274/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d7e42e91dd51f6514f272a

Tags:

underscore extens spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego telegram vbc vbnet

Link:

https://www.filescan.io/uploads/68d7e44574e5a2898995eedc/reports/04347a9d-0012-4d5c-aa2d-f77a76f7d92f/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-26T07:37:00Z UTC

Last seen:

2025-09-26T07:37:00Z UTC

Hits:

~100

Detections:

VHO:Trojan-PSW.Win32.Convagent.gen HEUR:Trojan-Spy.MSIL.Noon.gen Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Crypt.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb PDM:Trojan.Win32.Generic HackTool.ReconScan.TCP.ServerRequest

Link:

https://opentip.kaspersky.com/0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2/results?tab=lookup

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed5fa9e1-b214-41ba-bf55-0f05db6904b7

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1785205

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected DarkCloud

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.51 Win 32 Exe x86

Link:

https://app.malva.re/file/045dc930244b0432fe9668aa898b56bf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2/

Verdict:

Malicious

Threat:

Family.DARKCLOUD

Link:

https://tip.neiki.dev/file/0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2025-09-26 15:01:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b2twc3ixf4wvnj6es3b33a6w7m73y6h7yptlyq566kjrmaed3kza._file

Verdict:

malicious

Label(s):

unc_loader_037

darkcloudstealer

a310Logger

29a18b2e7ac7681c4c7c2754c0e2508403a865596d822961512f63386153318c

a310Logger

444e6f22cad08e4dd2e50397b6f85f8649b1f384a338f8da07530e1f433341c9

a310Logger

5554ca93846129bc28fdcbfcd24d49ee67a117498bd6bcd99a498c0c48c41288

a310Logger

56c2cb8035b5ba012899b4b1e8c72736aa3fb773d2997aa2486e4833a49a225a

a310Logger

829c252a4c01f72b2f015d5d2990278518c64838dc1ec5efe395e3bdaf139892

a310Logger

93d56b4cba2d0d2f011d31d47f493989549431a4d3a8e916dd848144fe4beaac

a310Logger

c5e1683a015a9b48ed1cfc4d133f0477dd1ad0be481cb18be360e035436d84b2

a310Logger

e1fc2f034a2afc3aaca14122ada80071c3a0fc9cb53e52f9b1b73f4c966342cc

a310Logger

+ 2'105 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud defense_evasion discovery execution spyware stealer

Link:

https://tria.ge/reports/250927-qkg1wazlz3/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

DarkCloud

Darkcloud family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8459604418:AAEe5BJzgytThRakO5ZkWuEuVE2XzWiw0Ow/sendMessage?chat_id=8064644982

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b7bec3e4-84e1-4a6c-ba90-20d54bc230cc

Unpacked files

SH256 hash:

0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2

MD5 hash:

045dc930244b0432fe9668aa898b56bf

SHA1 hash:

2250bc52cc7a4fb3522f35e89f0253efcfe12e10

Link:

https://www.unpac.me/results/a55a0cfe-3080-4ae2-a88a-6364e90e7656/

SH256 hash:

63dae6bbcedabd08371314786fbadb86ceae59640b7e9e4e4cb30d03d6b1dbdd

MD5 hash:

2f458670589b24b129e890e4dc5b9fd9

SHA1 hash:

02761156e746a55e6c54538a1e2e0e83bacaf798

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a55a0cfe-3080-4ae2-a88a-6364e90e7656/

SH256 hash:

ba62e7e89557bb426f1813b06a062db822e8d0141e93936d132b58fd4382af44

MD5 hash:

9c25fef6456290916a73792f1e2f8e54

SHA1 hash:

3bc346d1f860801cf5aaed37014a2efca9170791

Link:

https://www.unpac.me/results/a55a0cfe-3080-4ae2-a88a-6364e90e7656/

SH256 hash:

dbdccd99b92299669a805b02df7092daf2ee435af1d447332312c2f358bb4e81

MD5 hash:

dab0b33660845fff2fb2a6ee3cb3bfcb

SHA1 hash:

798953fd8a2f491a7cc02ceecd257a95629aa675

Detections:

darkcloudstealer

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_CC_Regex

MALWARE_Win_A310Logger

MALWARE_Win_DarkCloud

Link:

https://www.unpac.me/results/a55a0cfe-3080-4ae2-a88a-6364e90e7656/

Parent samples :

0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2
95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ea7616d172f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29274/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample